Low severityNVD Advisory· Published Jun 26, 2024· Updated Aug 1, 2024
Reflected XSS via X-October-Request-Handler Header
CVE-2024-25637
Description
October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/systemPackagist | >= 3.2, < 3.5.15 | 3.5.15 |
Affected products
2- Range: >= 3.2, < 3.5.15
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-rjw8-v7rr-r563ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-25637ghsaADVISORY
- github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.